View
5
Download
0
Category
Preview:
Citation preview
Group Data Protection Policy
2
GHL-DG005
Draft Group Data Protection Policy
Policy Title Group Data Protection Policy
Policy Owner Chief Data Officer
Prepared by & Date Prepared
Approved by & Date Approved
BU Heads
Date Effective From Apr 2021
Policy Review Mar 2021
Policy ID GHL-DG005
Table of Contents
1. Background 2. Purpose 3. Scope 4. Definitions 5. Policy Statement 6. Roles and Responsibilities 7. Enforcement 8. Policy Administration 9. Other related policies 10. Version History 11. Appendix A - Guardian Group Data Protection Principles 12. Appendix B - Guardian Group’s Data Protection Management Program Framework 13. Appendix C - Guardian Group’s Data Protection Management Program Federated Governance
Model
Naresh Mongroo (Mar 17, 2021 12:38 EDT)Naresh Mongroo
Ravi Tewari (Mar 17, 2021 12:49 EDT)Ravi Tewari
Alan Sadler (Mar 17, 2021 14:46 EDT)Alan Sadler
Anand Pascal (Mar 17, 2021 14:57 EDT)Anand Pascal
Karen Bhoorasingh (Mar 17, 2021 15:00 CDT)
Dean Romany (Mar 18, 2021 09:52 EDT)Dean Romany
Brent Ford (Mar 24, 2021 11:12 EDT)Brent Ford
3
GHL-DG005
Draft Group Data Protection Policy
1. BACKGROUND
The Guardian Group (the Group) recognises the importance of ensuring that the organisation is
compliant with requisite Data Protection laws that regulate several of our Business Units.
A vital part of being compliant with these respective laws is our commitment to be transparent
about the ways we protect the personal data entrusted to us by our customers and team
members. Specifically, we are accountable for:
developing a governance structure that promotes and values privacy and that enables every
one of our team members to make the right decisions, every day, about how to respect
privacy when handling personal data;
ensuring that we properly identify and mitigate privacy risks throughout our operations, in
part by striving to apply the principles of Privacy by Design in the development and review of
our products and services; and
earning and maintaining our customers’ and team members’ trust by being transparent about
how we handle personal information and by offering choices where it is appropriate to do so.
2. PURPOSE
The Group (as a Data Controller) considers the safeguarding of data protection rights as part of its
social and legal responsibility. In some countries in which we operate, legislators have defined
standards for protecting the data of natural persons (“personal data”), including the requirement
that such data may only be transferred to other countries if the local law applicable at the place
of destination provides for an adequate level of data protection.
3. SCOPE
The Group Data Protection Policy and associated policies, procedures and standards are
applicable on an enterprise-wide basis to all of the Group’s critical data assets (regardless of the
system in which the data are stored). It is applicable to all Companies and individuals across the
Group who use or control the Group’s Information Resources. This includes:
Board of Directors
All employees of the Group, whether employed on a full-time or part-time basis;
All previous employees of the Group, whether employed on a full-time or part-time
basis;
All job applicants for various positions within the Group;
All contractors, service providers, suppliers, and other people working on behalf of or
engaged by the Group
4
GHL-DG005
Draft Group Data Protection Policy
Any other data subjects identified through regular course of business by the Group.
4. DEFINITIONS
4.1. Binding Corporate Rules – Legally binding and enforceable internal rules and policies for data
transfers within multinational group companies. These work in a way somewhat similar to an
internal code of conduct.
4.2. Data Controller – A natural or legal person, public authority, agency or other body which, alone
or jointly with others, determines the purposes and means of the processing of personal data.
4.3. Data Processors – A natural or legal person, public authority, agency or other body which
processes personal data on behalf of the Group.
4.4. Data Processing – Any operation or set of operations which is performed on personal data or on
sets of personal data, whether or not by automated means, such as collection, recording,
organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use,
disclosure by transmission, dissemination or otherwise making available, alignment or
combination, restriction, erasure or destruction.
4.5. Data Protection Impact Assessment – A process to help identify and minimise the data
protection risks of a project.
4.6. Data Protection Officer – Ensures, in an independent manner, that an organisation applies the
laws protecting individuals' personal data.
4.7. Data Subject – The identified or identifiable living individual to whom personal data relates.
4.8. Personal Data – Any information relating to an identified or identifiable natural person. an
identifiable natural person is one who can be identified, directly or indirectly, by reference to an
identifier such as a name, an identification number, location data etc.
4.9. Privacy by Design - A concept that integrates privacy into the creation and operation of new
devices, IT systems, networked infrastructure, and even corporate policies. Developing and
integrating privacy solutions in the early phases of a project identifies any potential problems at
an early stage to prevent them in the long run.
4.10. Standard Contractual Clauses – Are standard sets of contractual terms and conditions which the
sender and the receiver of personal data both sign up to, aimed at protecting personal data
leaving the Groups operational jurisdiction through contractual obligations in compliance with
Data Protection legal requirements in territories which are not considered to offer adequate
protection to the rights and freedoms of data subjects.
5
GHL-DG005
Draft Group Data Protection Policy
5. POLICY STATEMENT
This Policy establishes the common principles and guidelines for conduct that are to govern the
Group regarding personal data protection, ensuring compliance with applicable law under all
circumstances. To support compliance with appropriate standards and laws this data must be
managed using sound data protection principles. This policy endorses the Group’s Data Protection
Principles (refer Appendix A).
5.1. Data Protection Framework
Personal Data is a strategic asset, as such the Group would implement a Data Protection
Management Framework (refer Appendix B) to ensure that appropriate authority and
controls are applied, and that personal data is managed in compliance with all legislative and
other compliance obligations in territories where we operate.
5.2. Data Protection Policy
A Data Protection Policy (this document) would be maintained by the Chief Data Officer,
approved by the Data Governance Council, and published and communicated to all relevant
employees and relevant external parties.
5.3. Collecting and Processing Personal Data
Data subjects would be made aware at the point of collection what data is being collected,
the purpose for collecting the data specified, whether it will be shared with any third parties
etc. via privacy notices.
Privacy notices would be included on all physical forms used to collect information as well as
websites, apps intranet, etc. Additionally, when reviewing the different methods used to
collect personal data, the Group will always consider whether a privacy notice should be
included and added where needed.
All personal data shall be processed in a lawful manner and in good faith in keeping with
international standards and the respective regulations of the territories in which Guardian
Group operates.
Where the Group collects personal data from third parties (for example, beneficiary
information, emergency contact etc), those data subject’s personal data would be processed
to the same principle and standards as prescribed within this policy.
Where the personal data is in relation to a child, the Group would ensure that proper consent
is received from the parent, legal guardian or legal representative of the child before the data
is collected or processed.
6
GHL-DG005
Draft Group Data Protection Policy
5.4. Data Quality
The Group will adopt all necessary measures to ensure that the Personal Data it collects and
processes is complete and accurate in the first instance and is updated to reflect the current
situation of the Data Subject. The measures would include:
o Correcting personal data known to be incorrect, inaccurate, incomplete, ambiguous,
misleading or outdated, even if the Data Subject does not request rectification.
o Keeping personal data only for the period necessary to satisfy the permitted uses or
applicable statutory retention period.
o The removal of personal data if in violation of any of the Data Protection principles
or if the personal data is no longer required.
o Restriction, rather than deletion of personal data, insofar as:
a law prohibits erasure.
erasure would impair legitimate interests of the Data Subject.
the Data Subject disputes that their personal data is correct and it cannot be
clearly ascertained whether their information is correct or incorrect.
5.5. Data Subject Rights
The Group recognises the rights that all data subjects have in relation to how their personal
data is collected, used, shared, stored and discarded in accordance with the relevant Data
Protection legislation and regulations of the territories in which we operate.
All personal data that is requested from the Group and its respective Business Units will be
provided to the data subject in a concise, transparent, intelligible and easily accessible form,
using clear and plain language in keeping with the Group’s Data Subject Request Policy.
5.6. Privacy by Design, Privacy by Default
The Group shall adopt the principle of Privacy by Design and Privacy by Default and will
ensure:
o that any initiative that involves processing personal data must be done with data
protection and privacy in mind at every step. This includes internal projects, product
development, software development, IT systems etc;
o once a product or service has been released to the public, the strictest privacy
settings should apply by default, without any manual input from the end user;
o when new projects involving personal data are being developed both at the Group
and individual Business Unit level a Data Privacy Impact Assessments will be carried
out by the Project Manager and reviewed by the Data Protection Officer in order to
assess any privacy risks to data subjects and the organisation;
7
GHL-DG005
Draft Group Data Protection Policy
o collecting, disclosing and retaining the minimum personal data for the minimum
time necessary for the purpose;
o anonymising personal data wherever necessary and appropriate.
5.7. Sharing of Data
Personal data will not be shared with any third-parties external to the Group (either locally or
internationally) without a valid business reason and/or legal reason. Where required we will
notify individuals that the sharing will take place in the form of a privacy notice. If any new
purposes for the data sharing are to take place, we will seek consent from the individuals
concerned.
When personal data is to be shared with a third parties external to the Group locally, a Data
Sharing Agreement will be implemented to ensure that adequate protection is given to that
data so that the Group meets its data protection obligations and protects the rights of the
individuals involved.
Any data sharing will also take into consideration:
o any statutory basis of the proposed information sharing,
o whether the sharing is justified,
o due diligence checks on the third party,
o how to maintain the security of the data being shared.
Where the data is shared with a third party external to the Group internationally, the
provisions under section 5.11 would also apply.
5.8. Data Protection Breaches
The Group will take all necessary steps to reduce the impact of incidents involving personal
data by following the Data Security Breach Management Procedure. Where a data breach is
likely to result in a risk to the rights and freedoms of data subject, the Group’s Data Protection
Officer (DPO) will liaise with the respective Business Unit DPO and the Regulator and report
the breach within the time specified by the respective jurisdiction. The Group DPO will also
advise, where necessary, actions to inform data subjects and reduce risks to their privacy
arising from the breach.
All employees and contractors of the Group who discover a personal data security breach
shall also take the necessary steps as outlined in the procedure to immediately inform the
relevant Head of Department/Unit or project manager who will contact the Group and or
Business Unit DPO following the above procedure.
8
GHL-DG005
Draft Group Data Protection Policy
5.9. Data Security
We will take proportionate technical, physical and organisational measures consistent with
the Group’s IT Security Policies to ensure that all personal and sensitive personal data is held
securely and protected from destruction, loss, unauthorised access and disclosure.
Appropriate obligations will be incorporated into contracts with third parties.
5.10. Joint Controllership
In the event that multiple Business Units (joint controllers) jointly define the means and purposes
of processing personal data (along with one or more third parties, if applicable), the Group shall
conclude an agreement that stipulates their duties and responsibilities to the data subject whose
data they process.
Intra-group international data transfers will be subject to legally binding agreements referred to
as Binding Corporate Rules (BCR) which provide enforceable rights for data subjects.
5.11. Transfer of Data outside of the jurisdiction in which we operate
Transfers of personal data outside of the territories in which we operate will be carefully
reviewed prior to the transfer taking place to ensure that they fall within the limits imposed
by the relevant Data Protection Regulations, particularly the adequacy of the safeguards for
personal data applicable in the receiving country. Suitable tools can be:
o Agreement on standard contractual clauses,
o Recognition of binding corporate rules of the recipient to create an adequate level
of data protection by the responsible supervisory authorities.
5.12. Third Party Data Processors
External agencies contracted to undertake any data processing on behalf of the Group or
Business Units will be required to demonstrate compliance with the relevant Data Protection
practices of the Group as well as regulations in territories where we operate. This will include
satisfying that they have the necessary technical and organisational measures in place to
protect personal data.
9
GHL-DG005
Draft Group Data Protection Policy
5.13. Training
Oversight for training and development would be carried out by the Office of the Chief Data
Officer and the Group Data Protection Officer. Business Units would provide support,
assistance, advice and training to all relevant departments, offices and staff to ensure they
are in a position to comply with the legislation. The Group’s DPO would assist the relevant
departments and Business Units in complying with the relevant Data Protection legislation.
6. ROLES AND RESPONSIBILITIES
Data protection compliance is a cooperative effort; the success of the program depends on
collaboration between key stakeholders. The Data Protection Management Programme (DPMP)
would be managed via a federated model (refer Appendix C).
6.1. Data Governance Committee
The DPMP and the framework, and the governance structure that supports it, are part of the
backbone of the Group’s overall data governance framework and ground accountable
decision-making around data. The Governance committee would approve all relevant data
protection related policies, procedures and standards, monitor compliance and recommend
solutions to issues relating to data protection within the Group.
6.2. Office of the Chief Data Officer
While accountability for data protection at the operational level ultimately resides with the
Chief Executive Officer, day-to-day operational functions have been formally delegated to the
office of the Chief Data Officer. The office is charged with operationalising the Group’s
commitment to earn and maintain the trust of our clients and other stakeholders when it
comes to how we handle personal data.
6.3. Group and (where applicable) Business Unit Data Protection Officer
The Data Protection Officer (DPO) is responsible for educating the company and its employees
about compliance, training staff involved in data processing, and conducting regular privacy
audits. The DPO also serves as the point of contact between the company and any Data
Protection Authority that oversee activities related to Data Protection in the jurisdictions in
which we operate. The DPO’s responsibilities include, but are not limited to, the following:
o educating the company and employees on important compliance requirements
o privacy training staff involved in data processing
o conducting audits to ensure compliance and address potential issues proactively
10
GHL-DG005
Draft Group Data Protection Policy
o serving as the point of contact between the Group and the relevant Data Protection
Authorities
o monitoring performance and providing advice on the impact of data protection
efforts
o maintaining comprehensive records of all data processing activities conducted by
the company, including the purposes of all processing activities, which must be made
public on request
o interfacing with data subjects to inform them about how their data is being used,
their right to have their personal data erased, and what measures the company has
put in place to protect their personal information
6.4. Data Protection Coordinator
Support the work of the DPO within the respective Business Units.
Lead the respective Business Unit Privacy Team.
Advise departments within their respective Business Units on privacy-related concerns and
obligations.
Work at the direction of the DPO to develop and implement the needed controls and
measures to ensure compliance and structure and conduct privacy trainings to raise the
privacy awareness among employees.
6.5. Privacy Working Group
The Privacy Working Group would be established with the current federated Group Data
Governance operational model. The Group would focus on establishing and strengthening the
Group’s data protection related policies, procedures and standards to ensure that they reflect
the goals, values, and principles of the Group. The Group would be composed of members of
respective Business Units with responsibility for Data Protection as well as representatives
from various departments such as Human Resource, IT, Legal, Compliance, Marketing etc.
6.6. Business Unit Privacy Team
Each Business Unit, based on the legal requirements of the respective jurisdiction, shall
establish a Privacy Team. The team would focus on establishing and strengthening the
Group’s data protection related policies, procedures and standards to ensure that they reflect
the goals, values, and principles of the Group as well as the Business Unit and the applicable
laws. The team would be composed of members of respective Operational Divisions as well
as representatives from Human Resource, IT, Legal, Compliance, Marketing, Customer Service
etc.
11
GHL-DG005
Draft Group Data Protection Policy
o To help safeguard the personal information under our control;
o To control access to personal information, limiting access to those who have a need;
o To identify and remediate security risks to personal data;
o To monitor, investigate and contain suspected personal data breaches.
6.7. Information Security
To help safeguard the personal information under our control;
To control access to personal information, limiting access to those who have a need;
To identify and remediate security risks to personal data;
To monitor, investigate and contain suspected personal data breaches.
6.8. Legal and Compliance
To work with the Group DPO to ensure our DPMP is compliant with the law and that we stay
up-to-date on new legal requirements and regulatory guidance;
To assist the Group DPO to respond in a prompt and appropriate manner to our regulators in
respect of matters relating to our handling of personal data; and
To protect our clients’ and team members’ privacy through established contract reviews and
controls wherever appropriate.
6.9. IT Procurement
To collaborate on the review, selection, and monitoring of partners and other organisations
who handle or have access to personal information of our clients or team members;
To ensure that appropriate contractual controls around the privacy and security of data are
in place with such organisations.
6.10. Human Resources
To work with the Group DPO to promote privacy training and awareness for all of our team
members;
To ensure that our people & culture practices reflect our commitments to team member
privacy;
To support the enforcement of our rules and standards put in place to protect client and team
member privacy, providing coaching and discipline where appropriate;
To review team member compliance with ethics, privacy, security and respectful workplace
policies including the review of any breach of obligations under those policies to ensure that
appropriate disciplinary action is taken, up to and including dismissal.
12
GHL-DG005
Draft Group Data Protection Policy
6.11. Product Development and Management Teams
To ensure, by embracing the principles of Privacy by Design, that our products and services
support our commitment to protect privacy and to be transparent about our personal data
handling practices.
6.12. Group Risk
To identify, manage, monitor and report on privacy related risk at the Group level;
To assist in the identification of privacy-related compliance risk and support
recommendations from our internal audit process.
6.13. Data Steward
Serve as a subject matter expert (SME) for your data domain.
Identify and work with Data Owner and Data Custodians to resolve data issues.
Act as a member of the Data Governance Working Group.
Responsible for establishing requirements and assessing the quality of the data within their
respective Business Unit/Data domain.
Responsible for the creation and management of data standards and business rules within
their respective Business Unit/Data domain.
Perform audits and data quality improvement activities, including taking corrective action to
the data within their respective Business Unit/Data domain.
6.14. All Business Units
To maintain awareness about privacy to ensure that every team member understands that
they have personal responsibility for meeting the Group’s privacy commitments every day in
everything they do;
To appoint data stewards to be advocates for data governance and data management
processes within the business unit to ensure data governance principles and standards are
successfully operationalized.
6.15. All Staff
All Staff (including contingent workers and contractors) have a responsibility to:
o Comply with the Data Protection Policy and policies and procedures.
o Participate in training related to data protection.
13
GHL-DG005
Draft Group Data Protection Policy
7. ENFORCEMENT
Failure to comply with the Group Data Protection Policies, associated standards and processes
will result in the non-compliance with respect to Data Protection laws under which the Group and
respective Business fall under. Such non-compliance would result in loss of trust by clients,
reputational harm and can adversely impact the financial standing of the Group.
The Group’s Disciplinary Policy would be referenced in cases of violation and/or non-adherence
to this policy and may result in the denial of requests, and impairment of user rights to access
data / system in the first instance.
8. POLICY ADMINISTRATION
The Office of the Chief Data Officer is responsible for the administration, revision, interpretation,
and application of this policy. This policy will be reviewed annually. All changes to this policy will
be passed to the Data Governance Council for approval on the recommendation of the Chief Data
Officer.
The Group may at any time by notice in writing alter all or any of the terms and conditions of the
Policy, such alterations shall have effect from the date specified in such notice. Changes to the
Appendices are considered minor edits under the Groups Policy Framework and thus can be
approved by the Chief Data Officer.
9. OTHER RELATED POLICIES
Group Data Quality Policy
Group Data Retention Policy
Group Data Sharing Policy
Group Data Protection Policy
Group Information Security Governance Policy
Group Information Classification Policy
10. VERSION HISTORY
Version Date Summary Changed By
V1 19th January 2021 Initial Draft Rishi Maharaj
V1.1 01st March 2021 Revised based on comments from Eduard Mouget – Mgr. Enterprise IT Risk & Security
Rishi Maharaj
14
GHL-DG005
Draft Group Data Protection Policy
11. Appendix A - Guardian Group Data Protection Principles
The Guardian Group shall observe the following principles when processing personal data that are
subject to the Data Protection laws and regulations where we operate:
1. Due Care – We process personal and sensitive personal data with due care, in a fair, lawful and
transparent way.
2. Data Quality
a. Purpose Limitation: We only process personal data to fulfil specific, clear and legitimate
business purposes. We may make specific, clear and legitimate changes to our business
purposes.
b. Data Minimization & Accuracy: If informed to changes in personal data or we make
changes as a part of our processing of personal data, we ensure that:
i. All personal data are up-to-date and that if any personal data are inaccurate,
these are promptly erased or rectified as is appropriate bearing in mind why we
are processing personal data.
ii. Any updates to personal data are reflected across our systems and databases
whether internal or external.
iii. The personal data collected will be adequate and limited to what is necessary for
our business purposes.
c. Storage Limitation We only keep personal data for as long as we need to meet our
business purposes or as required by law.
3. Transparency & Openness – Generally, we collect personal data directly from the client. If we
collect personal data from other sources, it is because this is reasonable and permitted by law.
The information we provide may differ depending on the source of the personal data.
4. Lawfulness of Processing
a. Lawful Basis for Processing Personal Data: We only use personal data if we have a lawful
basis to do so. Where processing is necessary, these reasons include the need to:
i. Create a contract with client or to take steps at the clients request before entering
into a contract
ii. Comply with our legal obligations
iii. Protect vital interests of our clients or those of another individual
iv. Perform a task in the public interest or to exercise an official authority vested in
us, or
v. Undertake actions for our legitimate business interests or the business interests
of a third party, except if these legitimate interests are overridden by the clients’
interests or fundamental rights and freedoms
b. Consent If we process personal data based on consent, we:
15
GHL-DG005
Draft Group Data Protection Policy
i. Ensure that the wording and format used to collect consent is clear and easy to
understand, and that consent is freely given, specific, informed and clear
ii. Have processes to record the giving and withdrawal of consent and ensure that
one can withdraw their consent easily. We also inform of this withdrawal right
before consent is given
iii. Ensure that if consent is collected as part of a written declaration that also
concerns other matters, such as a contract, the request for consent in the written
declaration is presented in a manner clearly distinguishable from the other
matters.
5. Relationship with Data Processors (for example, service providers working for us) – We only
allow data processors acting on behalf of the Group to collect and process personal data if they
enter into a written agreement with us outlining data privacy & protection requirements. To
ensure the quality of this process, we:
a. Conduct due diligence checks and risk assessments to evaluate data processors to ensure
they meet our security and confidentiality obligations and protect your personal data.
b. Periodically monitor data processors to verify on-going compliance with their data privacy
& protection obligations.
6. Security & Confidentiality – We handle personal data in accordance with the information security
policies and standards of the Group and in accordance with the laws and regulations that apply
to us. We adopt appropriate technical and organisational security safeguards to protect personal
data against risks that may result from improper use, particularly, against the accidental or
unlawful destruction, alteration or loss, as well as unauthorized disclosure of or access to personal
data. The measures depend on factors such as the state of the art, nature and scope of the
processing and level of risk, but may include:
a. Using encryption, anonymization and partial anonymization of personal data, if
appropriate
b. Regularly testing, assessing and evaluation of the effectiveness of security measures for
ensuring the security of the processing
c. Maintaining business continuity and disaster recovery plans and contingencies including
ongoing confidentiality, integrity, availability and resilience over systems and services.
7. Personal Data Loss – We will inform respective stakeholders– based on lawful requirements – if
a personal data loss incident is likely to result in a high level of risk to their rights and freedoms,
including the following specifics:
a. Nature of the personal data loss incident
b. Likely consequences of the personal data loss incident
c. Measures we are taking or plan to take to address the personal data loss incident,
including, if appropriate, measures to mitigate its impact.
16
GHL-DG005
Draft Group Data Protection Policy
8. Privacy by Design & Default
a. Privacy by Design: We consider the principle of privacy by design when designing or
changing an aspect that impacts upon the processing of personal data (for example,
developing a new product, service or information technology system) to help us:
i. Identify and limit the data protection impacts and risks of processing
ii. Comply with legal obligations affecting the processing
iii. Limit the data we collect or identify different ways that lessen the impact upon
data privacy & protection while meeting the same business goal.
b. Privacy by Default: We use appropriate technical and organisational measures to ensure
that, by default, we only collect and process personal data needed for our business
purposes. We also use this principle to embed data privacy & protection controls into our
processing activities, which means that personal data will not be published or shared by
default.
9. Cooperation with Data Protection Authorities – We will cooperate with data protection
authorities in the jurisdictions in which we operate by:
a. Making the necessary personnel available for liaison with the respective data protection
authorities
b. Complying with their advice on any matter regarding the rules for international transfers.
17
GHL-DG005
Draft Group Data Protection Policy
12. Appendix B - Guardian Group’s Data Protection Management Program Framework
The primary objective of the Groups DPMP Framework is to provide guidance to our internal privacy
team and DPO in assessing whether our control objectives personal data are achieved. It
additionally can be used as a tool by both our internal and external auditors in auditing compliance.
The Framework is based on the following ‘best practice’ frameworks (See Appendix A for full outline
of the DPMP Framework).
GAPP Principles - issued by the AICPA/CICA;
The NOREA Privacy Control Framework;
The General Data Protection Regulations; and
ISO/IEC 27701:2019
Figure 1: DPMP Framework
MANAGE COLLECT PROCESS ACCESS DISCLOSE SECURE ENFORCE
18
GHL-DG005
Draft Group Data Protection Policy
13. Appendix C - Guardian Group’s Data Protection Management Program Federated Governance
Model
Group Data Protection
Team
Establish and oversee vision and goals, prioritize targets to align with the organization and sets the strategic direction for the Data Protection Program.
Office of the Chief Data OfficerManagement
Data Protection Officer
Responsible for educating the Group and its employees about compliance, training staff involved in data processing, and conducting regular security audits. Serve as the point of contact between the Group and any Regulator that oversee activities related to Data Protection
BU Data Protection
Teams
Data Governance Council(Governance)
Handles administrative aspects of the Data Protection.
IMPLEMENTAT ION
ESCALATION
The overall sponsor and champion of Data Protection within the Group
The Board of Directors, CEO, Executive Team
Data Protection Teams
Provides assistance to the DPO in monitor and manage data protection compliance. Address specific issues and concerns by providing information, data dependencies for tools, and direct support to the data protection program.
BU DPO s
Figure 2: Group Data Protection Governance Structure
Recommended